Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=site-to-site-VPN-troubleshooting-Amazon-VPC

Troubleshooting Amazon VPC site-to-site VPN connections

BGP peering doesn't automatically form

Condition

After creating a site-to-site VPN connection between your local network and Amazon VPC, BGP peering doesn't automatically form.

Sophos Firewall shows the following statuses:

  • AWS VPC Tunnel status is active and connected.
  • BGP summary shows neighbor status stuck in active.

AWS VPC console shows the following statuses:

  • AWS site-to-site VPN status is down.
  • AWS site-to-site VPN details show IPsec is up.

Cause

BGP CLI configuration includes no bgp default ipv4-unicast.

BGP CLI configuration includes no bgp default ipv4-unicast.

What to do

You must update the BGP configuration and make the new Amazon VPC BGP neighbors active. Do the following:

  1. Sign in to the command line using SSH. You can also access it from admin > Console in the upper-right corner of the web admin console.
  2. Go to 3. Route Configuration > 1. Configure Unicast Routing > 3. Configure BGP.
  3. Enter the following commands:
    1. enable
    2. conf t

  4. Replace <as-number> with the Sophos Firewall Local AS number and enter the command as follows:

    router bgp <as-number>

    Tip

    You can find the Sophos Firewall Local AS number under Routing > BGP > Global configuration.

  5. Replace <ip-address> with the IP address of the AWS site-to-site VPN connection and enter the command as follows:

    neighbor <ip-address> activate

  6. Enter write to save the configuration.

Here's an example:

Update the BGP configuration.